Total
388 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41542 | 1 Devhubapp | 1 Devhub | 2025-05-13 | N/A | 5.4 MEDIUM |
| devhub 0.102.0 was discovered to contain a broken session control. | |||||
| CVE-2025-46336 | 2025-05-12 | N/A | 4.2 MEDIUM | ||
| Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1. | |||||
| CVE-2025-4528 | 2025-05-12 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Dígitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-2782 | 1 Octopus | 1 Octopus Server | 2025-05-07 | N/A | 9.1 CRITICAL |
| In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | |||||
| CVE-2024-52553 | 1 Jenkins | 1 Openid Connect Authentication | 2025-05-07 | N/A | 8.8 HIGH |
| Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. | |||||
| CVE-2025-46815 | 2025-05-07 | N/A | 8.0 HIGH | ||
| The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. | |||||
| CVE-2022-40230 | 1 Ibm | 1 Mq Appliance | 2025-05-02 | N/A | 6.5 MEDIUM |
| "IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235532." | |||||
| CVE-2025-46344 | 2025-05-02 | N/A | N/A | ||
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1. | |||||
| CVE-2022-36179 | 1 Fusiondirectory | 1 Fusiondirectory | 2025-04-29 | N/A | 9.8 CRITICAL |
| Fusiondirectory 1.3 suffers from Improper Session Handling. | |||||
| CVE-2021-47663 | 2025-04-29 | N/A | 8.1 HIGH | ||
| Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access. | |||||
| CVE-2025-2185 | 2025-04-29 | N/A | 8.0 HIGH | ||
| ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception. | |||||
| CVE-2023-45600 | 1 Ailux | 1 Imx6 | 2025-04-23 | N/A | 5.6 MEDIUM |
| A CWE-613 “Insufficient Session Expiration” vulnerability in the web application, due to the session cookie “sessionid” lasting two weeks, facilitates session hijacking attacks against victims. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. | |||||
| CVE-2024-35048 | 1 Surveyking | 1 Surveyking | 2025-04-23 | N/A | 4.3 MEDIUM |
| An issue in SurveyKing v1.3.1 allows attackers to execute a session replay attack after a user changes their password. | |||||
| CVE-2024-35049 | 1 Surveyking | 1 Surveyking | 2025-04-23 | N/A | 9.1 CRITICAL |
| SurveyKing v1.3.1 was discovered to keep users' sessions active after logout. Related to an incomplete fix for CVE-2022-25590. | |||||
| CVE-2024-35050 | 1 Surveyking | 1 Surveyking | 2025-04-23 | N/A | 8.8 HIGH |
| An issue in SurveyKing v1.3.1 allows attackers to escalate privileges via re-using the session ID of a user that was deleted by an Admin. | |||||
| CVE-2025-42602 | 2025-04-23 | N/A | N/A | ||
| This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts. | |||||
| CVE-2022-47406 | 1 Change Password For Frontend Users Project | 1 Change Password For Frontend Users | 2025-04-21 | N/A | 5.4 MEDIUM |
| An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed. | |||||
| CVE-2017-6529 | 1 Dnatools | 1 Dnalims | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to session hijacking by guessing the UID parameter. | |||||
| CVE-2017-11667 | 1 Openproject | 1 Openproject | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session. | |||||
| CVE-2017-14007 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2025-04-20 | 6.8 MEDIUM | 5.6 MEDIUM |
| An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization. | |||||